SRX

Configuring a new srx220 with proxy arp. ISP gives a /29 to use. I have both static nat and destination nat configured for some of the ips I have setup with proxy-arp. None of them were working at all, however when I issue the command:

monitor traffic interface ge-0/0/0.0 no-resolve

Proxy arp magically works for everything as long I have the monitor command running. 

Seems strange, what am i missing?

Hi

I'm not sure why this may happen, can you post relevant parts of the config and "show route" output, obfuscating the real IP addresses?

interfaces {                            
    ge-0/0/0 {                          
        unit 0 {                        
            proxy-arp;                  
            family inet {               
                address 173.xxx.xx.233/29;
            }                           
        }                               
    }                                   
    ge-0/0/1 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members default;    
                }                       
            }                           
        }                               
    }                                   
    ge-0/0/2 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members vlan-dmz;   
                }                       
            }                           
        }                               
    }                                   
    ge-0/0/3 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members vlan-dmz;   
                }                       
            }                           
        }                               
    }                                   
    ge-0/0/4 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members vlan-dmz;   
                }                       
            }                           
        }                               
    }                                   
    ge-0/0/5 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members default;    
                }                       
            }                           
        }                               
    }                                   
    ge-0/0/6 {                          
        unit 0 {                        
            family ethernet-switching { 
                vlan {                  
                    members vlan-dmz;   
                }                       
            }                           
        }                               
    }                                   
    ge-0/0/7 {                          
        unit 0 {                        
            family ethernet-switching;  
        }                               
    }                                   
    lo0 {                               
        unit 0 {                        
            family inet {               
                address 127.0.0.1/32;   
            }                           
        }                               
    }                                   
    st0 {                               
        unit 0 {                        
            family inet {               
                address 10.255.0.2/30;  
            }                           
        }                               
    }                                   
    vlan {                              
        unit 0 {                        
            family inet {               
                address 192.168.1.254/24;
            }                           
        }                               
        unit 5 {                        
            family inet {               
                address 192.168.2.254/24;
            }                           
        }                               
    }                                   
}

routing-options {
 static {
 route 0.0.0.0/0 next-hop 173.xx.xx.238;
 route 10.30.0.0/16 next-hop st0.0;
 }
}

nat {
 source {
 pool src-nat-pool-data {
 address {
 173.xx.xx.234/32;
 }
 }
 rule-set trust-to-untrust {
 from zone trust;
 to zone untrust;
 rule data-test-rule {
 match {
 source-address 192.168.1.10/32;
 destination-address 0.0.0.0/0;
 }
 then {
 source-nat {
 pool {
 src-nat-pool-data;
 }
 }
 }
 }
 rule source-nat-rule {
 match {
 source-address 0.0.0.0/0;
 destination-address 0.0.0.0/0;
 }
 then {
 source-nat {
 interface;
 }
 }
 }
 }
 rule-set dmz-to-untrust {
 from zone dmz;
 to zone untrust;
 rule source-nat-rule2 {
 match {
 source-address 192.168.2.10/32;
 destination-address 0.0.0.0/0;
 }
 then {
 source-nat {
 pool {
 src-nat-pool-data;
 }
 }
 }
 }
 }
 }
 destination {
 pool dst-nat-pool-1 {
 address 192.168.2.10/32 port 80;
 }
 rule-set rs1 {
 from zone untrust;
 rule r1 {
 match {
 destination-address 173.xx.xx.234/32;
 destination-port 80;
 }
 then {
 destination-nat pool dst-nat-pool-1;
 }
 }
 }
 }
 static {
 rule-set static-net03 {
 from zone untrust;
 rule rule1 {
 match {
 destination-address 173.xx.xx.237/32;
 }
 then {
 static-nat {
 prefix {
 192.168.2.17/32;
 }
 }
 }
 }
 }
 }
 proxy-arp {
    interface ge-0/0/0.0 {
     address {
      173.xx.xx.235/32;
      173.xx.xx.236/32;
      173.xx.xx.237/32;
      173.xx.xx.234/32;
     }
    }
 }
 }

vlans {
 default {
 vlan-id 1;
 l3-interface vlan.0;
 }
 vlan-dmz {
 vlan-id 5;
 l3-interface vlan.5;
 }
}

        

show route

inet.0: 15 destinations, 15 routes (14 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:03:50
> to 173.167.79.238 via ge-0/0/0.0
10.30.0.0/16 *[Static/5] 00:04:04
> via st0.0
10.255.0.0/30 *[Direct/0] 00:04:04
> via st0.0
10.255.0.2/32 *[Local/0] 00:04:04
Local via st0.0
173.xx.xx.232/29 *[Direct/0] 00:03:50
> via ge-0/0/0.0
173.xx.xx.233/32 *[Local/0] 00:03:55
Local via ge-0/0/0.0
173.xx.xx.234/32 *[Static/1] 00:03:55
Discard
173.xx.xx.235/32 *[Static/1] 00:03:55
Discard
173.xx.xx.236/32 *[Static/1] 00:03:55
Discard
173.xx.xx.237/32 *[Static/1] 00:03:55
Discard
192.168.1.0/24 *[Direct/0] 00:03:50
> via vlan.0
192.168.1.254/32 *[Local/0] 00:04:04
Local via vlan.0
192.168.2.0/24 *[Direct/0] 00:03:50
> via vlan.5
192.168.2.254/32 *[Local/0] 00:04:04
Local via vlan.5

You should try to remove proxy-arp setting from interface ge-0/0/0 unit 0 stanza.

I don't think it is needed when you have it configured in [security].

Thanks for the reply. I will test this out today. One other thing I notcied is that it showing the "Next hop type" as discard, is that correct? 

I have a J-series router at another location that is successfully using proxy-arp and when I look at the routes for thos ip addresses, it shows: "Next hop type: Receive"

Thanks

Hi

That behavior changed somewhere between Junos versions.

Both should be OK as far as I know.

Just to follow up on this. This is all working properly now, the culprit was a cached ARP table on a Comcast SMC modem. The only way to clear the cache is to power cycle the comcast modem, apparently.